The Gaping Holes in the SSCI Voting Security Report: Vendors and Mitch McConnell

The Senate Intelligence Committee released a 6-page report, titled “Russian Targeting of Election Infrastructure During the 2016 Election: Summary of Initial Findings and Recommendations,” on how to secure elections last night.

While it is carefully hedged (noting that states may have missed forensic evidence and new evidence may become available), it confirms that “cyber actors affiliated with the Russian Government” conducted the operation and that no “vote tallies were manipulated or [] voter registration information was deleted or modified.” It says the intrusions were “part of a larger campaign to prepare to undermine confidence in the voting process,” but in its admission that, “the Committee does not know whether the Russian government-affiliated actors intended to exploit vulnerabilities during the 2016 elections and decided against taking action,” doesn’t explain that the reason Russia would have decided against action was because Trump won.

The report is laudable for the care with which it describes the various levels of intrusion: scan, malicious access attempts, and successful access attempts. As it concludes, in a small number of states (which must be six or fewer), hackers could have changed registration data, but could not have changed vote totals.

In a small number of states, Russian-affiliated cyber actors were able to gain access to restricted elements of election infrastructure. In a small number of states, these cyber actors were in a position to, at a minimum, alter or delete voter registration data; however, they did not appear to be in a position to manipulate individual votes or aggregate vote totals.

Among its recommendations, the report suggests that,

Election experts, security officials, cybersecurity experts, and the media should develop a common set of precise and well-defined election security terms to improve communication.

This would avoid shitty NBC reporting that falsely leads voters to believe over 20 states were successfully hacked.

Ultimately, though, this report offers weak suggestions, using the word “should” 18 times, never once calling on Congress to fulfill some of its recommendations (such as providing resources to states), and simply suggesting that the Executive warn of consequences for further attacks.

U.S. Government should clearly communicate to adversaries that an attack on our election infrastructure is a hostile act, and we will respond accordingly.

Predictably (especially coming from a Chair whose own reelection in 2016 is due, in part, to his party’s abuse of North Carolina’s administration of elections, the report affirms the importance of states remaining in charge.

States should remain firmly in the lead on running elections, and the Federal government should ensure they receive the necessary resources and information.

I guess Richard Burr would like the Federal government to give his colleagues more money to disenfranchise brown people.

But it’s not just in its weak suggestions that the report falls short. There are two significant silences that discredit the report as a whole: Mitch McConnell, and vendors.

For example, in a long section discussing laying out why DHS’ warnings in 2016 were insufficient, the report complains that the October 7, 2016 statement was not adequate warning.

DHS’s notifications in the summer of 2016 and the public statement by DHS and the ODNI in October 2016 were not sufficient warning.

The report remains utterly silent about Mitch McConnell’s refusal to back a more forceful statement (and, as I’ve noted, Burr and fellow Trump advisor Devin Nunes himself never joined any statement about the attacks).

In other words, while this report talks about gaps and is happy to blame DHS, it doesn’t consider the past and proposed role of top members of Congress.

The other big gap in this report has to do with the vendors on which our election system relies. To be sure, the report does, twice, acknowledge the importance of private sector companies in counting our vote, first when it describes that the vendors would are enticing targets that might need to be bound by more than voluntary guidelines.

Vendors of election software and equipment play a critical role in the U.S. election system, and the Committee continues to be concerned that vendors represent an enticing target or malicious cyber actors. State local, territorial, tribal, and federal government authorities have very little insight into the cyber security practices of many of these vendors, and while the Election Assistance Commission issues guidelines for Security, abiding by those guidelines is currently voluntary.

As a solution, it said that state and local officials should perform risk assessments for election infrastructure vendors, not that they should do so themselves (or be held to any mandated standards).

Perform risk assessments for any current or potential third-party vendors to ensure they are meeting the necessary cyber security standards in protecting their election systems.

Not all  states and almost no local officials are going to have the ability to do this risk assessment, and there’s no reason why it should be done over and over again across the country.

That’s particularly true given the fact that (as the report addresses the vulnerability posed by, but provides no remedy) the election vendor market has gotten increasingly concentrated.

Voting systems across the United States are outdated, and many do not have a paper record of votes as a backup counting system that can be reliably audited, should there be allegations of machine manipulation. In addition, the number of vendors selling machines is shrinking, raising concerns about supply chain vulnerability.

The report also suggests that DHS educate vendors.

DHS should work with vendors to educate them about the potential vulnerabilities of both voting machines and the supply chains.

But in a report that acknowledges the key role played by vendors in administering our elections, the report remains silent about Russian efforts to compromise them in 2016. Indeed, in its accounting of how many states were affected, the report admits its numbers don’t include vendors.

In addition, the numbers do not include any potential attacks on third-party vendors.

And yet — thanks in large part to Reality Winner — we know Russia did target vendors. Not only did they target them, but they appear to have succeeded, and succeeded in a way that may have affected the vote in North Carolina, Burr’s state.

In short, the report leaves a key aspect of known Russian efforts to target the vote completely unexamined, and it doesn’t consider the many ways that by compromising vendors in ways beyond cyberattacks might affect the vote.

Perhaps the report is silent about vendors precisely because of Winner’s pending case, to avoid publicly mentioning in unclassified form the attacks that the document she is accused of leaking. Or perhaps the committee just did an inadequate job of reviewing what happened in 2016.

Whichever it is, it’s unacceptable.

21 replies
  1. earlofhuntingdon says:

    Voting is a national issue and voting protections require mandatory national standards. That includes minimum standards for equipment and software and standards of openness and accountability for any vendor.

    If Congress can make right turn on red a national traffic standard, it can legislate standards for vendors of voting machines, voting software, data retention and data processing. Most of all, we need national standards for auditing software. It is unacceptable that vendors can avoid proper audits by throwing up their hands and saying, “That’s proprietary!’

    • SpaceLifeForm says:

      Sorry, but you bought into the narrative.

      Fuck the computerized voting equipment.

      Go back to pure paper.

      • dw says:

        Exactly. Paper ballots work perfectly fine in most countries.  The only possible justification for computerized equipment is to facilitate voting for those with disabilities.

        It’s far more important to have an accurate and uncompromised vote count than it is to be able to announce the results within a few hours.

  2. scribe says:

    Nice article in today’s NYT related to this issue, highlighting the good work being done in West Virginia.  2 major high points:  1.  they air-gap the online registration site from the actual registration database.  2.  All ballots have to be hand recount-able, i.e., all paper.

    Give credit where it’s due – they are trying.

    And, it appears, PA is looking to get rid of their no-paper-record touch-screen machines.

  3. Bob Tetrault says:

    Paper ballots, hand marked and hand counted in public.

    Comments about national standards for software, yada yadda utterly miss the point.

    With paper ballots and public counting we wouldn’t have to suffer through those painful debates about exit polling being so uncooperative and inaccurate. Screw the electronics! Screw their loss of employment!

    • Bob Conyers says:

      I generally agree on the voting side, although I’d note I think there is a role for machines in the tabulation and validation of ballots.

      I think any time you let voters put their mitts on ballots, you run a risk of some people doing screwy stuff – double voting, crossing out marks, and so on. A ballot validation scanner that checks for screwups can help catch mistakes before they are registered and let voters redo their ballots.

      I also don’t have a problem with initial machine counts as long as ballots are preserved for recounts and auditing. Hand tabulation can be pretty bad in the wrong hands.

      • tinao says:

        Bob,  I’ve been Judge of Elections and when I say the public can watch the counting, it no way implies anyone but those working the precinct handles the ballots.

  4. earlofhuntingdon says:

    Repetitive error message:

    Parse error: syntax error, unexpected ‘!’ in /home/emptywhe/public_html/wp-content/plugins/pdf-print-pro/pdf-print-pro.php on line 753

    • SpaceLifeForm says:

      State and local issues too.

      May actually be more important regarding Congress control, especially Senate.

  5. Soldalinsky says:

    There’s no mention of media collusion or Debbie Wasserman Schultz rigging the primaries in favor of Clinton over Sanders?  I think rigging the primaries is a far more important subject to address if we’re going to talk about “undermining confidence in the voting process.”

    The brief that follows is the most candid and blatant middle finger to voters I have ever seen by the status quo.  A complete absence of fiduciary duty to anyone that political parties seek to represent is a critical problem and makes any other conversation on the topic of “undermining confidence in the election process” moot.  Primary rigging is free speech according to the DNC!  Have a nice day :)


    • bmaz says:

      Hi there. I live in Arizona. I voted in the 2016 primary. Do tell how it was “rigged”. I’ll be waiting.

  6. lika2know says:

    There are something like 9,000 legal entities that can put something on a ballot. And, they can have different rules for voting than Federal elections call for. Louisiana is the only state that directly conducts all elections (due to their non-English common law history).

    As rightly pointed out, elections are also not funded by feds, and in some cases, not much is offered by the state except for rules. Remember that a lot of the people in positions of authority are elected, doubtless without much insight into their effectiveness. You might find Kris Kibach’s recent hand-slap by a Kansas judge for not taking her order seriously to reinstate 18k of disenfranchised voters provides some insight into the tangled relationships. It is even more entertaining to read about Kobach’s poor performance in the recent ACLU’s case; the judge supposedly gave him a copy of the evidence handling procedures.

    It must be obvious that computers cannot be taken completely out of the voting “chain”but also obviously their use must be critically assessed, and not just once.

    Like the voter fraud threat, there is s trade-off between ease of use, efficiency, and security. This report is a weak but good start; but remember Congress, DHS, and federal election agencies have zero experience running elections. The local agencies, counties, and states need empowerment and resources, in part to give them power to influence the vendors and improve practices.

    P.S. I used to do research in electronic voting.

Comments are closed.